An overview of the 3GPP 5G security standard
Building the inherently secure 5G system required a holistic effort, rather than focusing on individual parts in isolation. This is why several organizations such as the 3GPP, ETSI, and IETF have worked together to jointly develop the 5G system, each focusing on specific parts. Below, we present the main enhancements in the 3GPP 5G security standard.
These enhancements come in terms of a flexible authentication framework in 5G, allowing the use of different types of credentials besides the SIM cards; enhanced subscriber privacy features putting an end to the IMSI catcher threat; additional higher protocol layer security mechanisms to protect the new service-based interfaces; and integrity protection of user data over the air interface.
Overview: Security architecture in 5G and LTE/4G systems
As shown in the figure below, there are many similarities between LTE/4G and 5G in terms of the network nodes (called functions in 5G) involved in the security features, the communication links to protect, etc. In both systems, the security mechanisms can be grouped into two sets.
- The first set contains all the so-called network access security mechanisms. These are the security features that provide users with secure access to services through the device (typically a phone) and protect against attacks on the air interface between the device and the radio node (eNB in LTE and gNB in 5G)
- The second set contains the so-called network domain security mechanisms. This includes the features that enable nodes to securely exchange signaling data and user data for example between radio nodes and core network nodes
New authentication framework
A central security procedure in all generations of 3GPP networks is the access authentication, known as primary authentication in 3GPP 5G security standards. This procedure is typically performed during initial registration (known as initial attach in previous generations), for example when a device is turned on for the first time.
A successful run of the authentication procedure leads to the establishment of sessions keys, which are used to protect the communication between the device and the network. The authentication procedure in 3GPP 5G security has been designed as a framework to support the extensible authentication protocol (EAP) – a security protocol specified by the Internet Engineering Task Force (IETF) organization. This protocol is well established and widely used in IT environments.
The advantage of this protocol is that it allows the use of different types of credentials besides the ones commonly used in mobile networks and typically stored in the SIM card, such as certificates, pre-shared keys, and username/password. This authentication method flexibility is a key enabler of 5G for both factory use-cases and other applications outside the telecom industry.
The support of EAP does not stop at the primary authentication procedure, but also applies to another procedure called secondary authentication. This is executed for authorization purposes during the set-up of user plane connections, for example to surf the web or to establish a call. It allows the operator to delegate the authorization to a third party. The typical use case is the so-called sponsored connection, for example towards your favorite streaming or social network site and where other existing credentials (e.g. username/password) can be used to authenticate the user and authorize the connection. The use of EAP allows to cater to the wide variety of credentials types and authentication methods deployed and used by common application and service providers.
Enhanced subscriber privacy
Security in the 3GPP 5G standard significantly enhances protection of subscriber privacy against false base stations, popularly known as IMSI catchers or Stingrays. In summary, it has been made very impractical for false base stations to identify and trace subscribers by using conventional attacks like passive eavesdropping or active probing of permanent and temporary identifiers (SUPI and GUTI in 5G). This is detailed in our earlier blog post about 5G cellular paging security, as well as our earlier post published in June 2017.
In addition, 5G is proactively designed to make it harder for attackers to correlate protocol messages and identify a single subscriber. The design is such that only a limited set of information is sent as cleartext even in initial protocol messages, while the rest is always concealed. Another development is a general framework for detecting false base stations, a major cause for privacy concerns. The detection, which is based on the radio condition information reported by devices on the field, makes it considerably more difficult for false base stations to remain stealthy.
Service based architecture and interconnect security
5G has brought about a paradigm shift in the architecture of mobile networks, from the classical model with point-to-point interfaces between network function to service-based interfaces (SBI). In a service-based architecture (SBA), the different functionalities of a network entity are refactored into services exposed and offered on-demand to other network entities.
The use of SBA has also pushed for protection at higher protocol layers (i.e. transport and application), in addition to protection of the communication between core network entities at the internet protocol (IP) layer (typically by IPsec). Therefore, the 5G core network functions support state-of-the-art security protocols like TLS 1.2 and 1.3 to protect the communication at the transport layer and the OAuth 2.0 framework at the application layer to ensure that only authorized network functions are granted access to a service offered by another function.
The improvement provided by 3GPP SA3 to the interconnect security (i.e. security between different operator networks) consists of three building blocks:
- Firstly, a new network function called security edge protection proxy (SEPP) was introduced in the 5G architecture (as shown in figure 2). All signaling traffic across operator networks is expected to transit through these security proxies
- Secondly, authentication between SEPPs is required. This enables effective filtering of traffic coming from the interconnect
- Thirdly, a new application layer security solution on the N32 interface between the SEPPs was designed to provide protection of sensitive data attributes while still allowing mediation services throughout the interconnect
The main components of SBA security are authentication and transport protection between network functions using TLS, authorization framework using OAuth2, and improved interconnect security using a new security protocol designed by 3GPP.
Integrity protection of the user plane
In 5G, integrity protection of the user plane (UP) between the device and the gNB, was introduced as a new feature. Like the encryption feature, the support of the integrity protection feature is mandatory on both the devices and the gNB while the use is optional and under the control of the operator.
It is well understood that integrity protection is resource demanding and that not all devices will be able to support it at the full data rate. Therefore, the 5G System allows the negotiation of which rates are suitable for the feature. For example, if the device indicates 64 kbps as its maximum data rate for integrity protected traffic, then the network only turns on integrity protection for UP connections where the data rates are not expected to exceed the 64-kbps limit.
Learn more about security standardization
The security aspects are under the remits of one of the different working groups of 3GPP called SA3. For the 5G system, the security mechanisms are specified by SA3 in TS 33.501. Ericsson has been a key contributor to the specification work and has driven several security enhancements such as flexible authentication, subscriber privacy and integrity protection of user data.
Learn more about our work across network standardization.
Explore the latest trending security content on our telecom security page.